Unknown Thread kthreaddnai

[Thisisnotmyname]

What?!!!
That's impossible!!
It is NOT the solution to proceed in this way.
The BUG must be found!
I first downloaded the firmware and installed it again.
I have checked beforehand, that there is not any of the stuff left.

But that -- is not possible at all!

Unfortunate as it is, that's solid advice. If QNAP can't provide a reliable method of removing the malware and you're unable to clean it yourself (and even if you thought you could would you really trust that it was fully gone?) then a clean reinstall is a valid solution. No one wants to be in that situation but if the latest feedback from QNAP doesn't resolve your issue you do need to consider it. Just a matter of how long you're willing to wait for a better solution while knowing your system is compromised.

[Benna80]

Here i am with pionai problem, i've followed the guide, let's see if i've fixed.

[Cerberus]

I have taken the following steps:
- Clean up TMP directory (customized script)
- WEB directory cleanup (delete all foreign PHP scripts and unknown files)
- make index.php (from QNAP) inactive (not required and includes several security bugs)
- NAS reboot
- flash last firmware (again)
- NAS reboot

Now I've been without any particular anomalies for two days.

[Benna80]

I have taken the following steps:
- Clean up TMP directory (customized script)

Can you share this script please?

[Cerberus]

viewtopic.php?f=50&t=144769&start=30#p694795

[Wodahs]

Has anyone figured out what the attacker was/is doing?

[Wodahs]

I've turned off all the myQNapCloud stuff. Rebooting seems to flush the TMP folder. I changed the phpMyAdmin password and quarantined the infected files on the website.

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.

Does anyone have a walkthrough on that?

I'm also concerned about preventing reinfection while updating since I think the default configuration may not be secure.

[Thisisnotmyname]

Has anyone figured out what the attacker was/is doing?

I think someone in one of these threads said there was a bitcoin mining application running as at least part of the payload. Who knows what else (if anything) was going on.

[dolbyman]

Has anyone figured out what the attacker was/is doing?

with a CPU usage that high .. probably cryptominig, and maybe a botnet to infect more devices but it could be many things (and many things can probably be sideloaded at any time)

[Thisisnotmyname]

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.

That won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.

[Wodahs]

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.

That won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.

I was only going to copy back the data from the shared folders, (I do reasonably expect those are clean.) Not rebuild the array from the second drive, that would totally defeat the purpose of doing this.

How would you recommend reformating/reloading the NAS without getting reinfected while getting it locked down?

[Benna80]

By the way,after following the instructions and re-enabled the Web server i have a very low cpu usage and no trace of pionai proces.
so i think i've deleted at least the process, low cpu usage and no network activity, i'm very happy with this.

[kameha]

Hello all !

I've been running my NAS with no sign of "pionai" for a week now.
Here are the steps i did:
- Run custom script to kill malware process and remove infected files (see last version below)
- Change phpMyAdmin Password
- Close port 80 on my Router (all traffic goes throught https)
- Installed Malware Remover manually as recommanded by QNAP (but didn't found anything)

Code: Select all

#!/bin/sh

NOW=$(date '+%Y%m%d%H%M%S')
LOG_FILE=/share/kameha/clean.log

if [ ! -f ${LOG_FILE} ]; then
        touch ${LOG_FILE}
fi

echo "Running at ${NOW}" >> ${LOG_FILE}

ps -ef | grep '/tmp/compma' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'pionai' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'kthreaddnai' | grep -v grep | awk '{print $1}' | xargs -r kill -9


SAVEIFS=$IFS
IFS=$(echo -en "\n\b")

files=( $(find / -type f -user httpdusr -group administrators -perm 0750) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0700) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0640) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0755) )

for file in ${files[*]}; do

    echo "Removing $file" >> ${LOG_FILE}
    rm -f $file

done

IFS=$SAVEIFS

echo "End of Run" >> ${LOG_FILE}

[OneCD]

You guys should create a Community Malware Remover QPKG.

[Wodahs]

operating a NAS that had it's firmware modified .. bad idea .. kill it and start from scratch

Which of these options would that be:

1. Restore Factory Defaults & Format All Volumes
2. Reset Settings
3. Reinitialize NAS

I assume it's 1 or 3?